Recover files from chest

[anlim]

How can I recover files from Chest? I had them moved there after Avast scan showed they were infected. Since I had never used Avast before, I clicked Moved to chest, which was the suggested option. Unfortunately, I have no other copy of those important files and now would like to have the files recovered and then maybe repaired, rather than be gone forever.

[SafeSurf]

Yes, you can recover files from the Chest.  We normally recommend that you leave files in the Chest for a minimum of 2 - 4 weeks, and in the meantime, you can scan the files in the Chest after getting virus definition updates to see if they eventually come out clean.

What was the infection?  If you bring the files out of the Chest, where they are currently safe, you may bring the infection out as well.  If you have had another Avast Virus definition update, try right-clicking on the file in the Chest to scan the file again and see if it still comes out infected or not.  If not, then it is safe to restore (bring it out of the Chest).  If it still comes out infected, then it is not safe to bring it out of the Chest unless you want to infect the rest of your machine.

If this was truly a virus, there may not be a way to repair the file as it most likely was damaged/changed and would be useless.  If it is a file that is needed for your machine to work properly, you may want to try and get the file elsewhere for now by searching online or giving us a screenshot of what is in your Chest so we can see the infection and the files involved.

In the meantime, keep your Avast definitions up to date.  In your next post, please give me more information about your machine (OS, 32 or 64-bit), security software (firewall, other security software), what version and product of Avast you are using.  Thank you.

[rlc0503]

I have a similar issue with recovering a file from the chest. I did as you said SAFESURF and it says the clean failed even after a few weeks. THe file is a boot file because my laptop freezes on start up and I have to open the task manager and end the process and then my computer will start. I would normally just deal with it but its my wifes computer and shes doesnt have the patience.

The file is owner/appdata/local/wicapifx.dll.
The comp is an HP pavilion dv3 with vista home premium 64 bit.

I googled the file but nothing came up. Do you have any suggestions for me?

Thanks in advance

[Zyndstoff (aka Steven Gail)]

This wicapifx.dll is in the chest right now? Or did you take it out of the chest?

What is the process you have to cancel on bootup?

[rlc0503]

The file is still in the chest. I just restarted my computer and it made a liar out of me. It loaded but it came up with a window that says

ERROR LOADING C:\users\owner\AppData\local\wicapifx.dll
The specified Module could not be found.

So i hit ok and then it froze and I couldnt do anything for about 3 minutes and now it seems like it is working but extremely slow. My processor says its at 90-100% and I just rebooted and have not tried to do anything other than what I explained??

Im not sure if you can help me?

[Zyndstoff (aka Steven Gail)]

Well, there is no info to be found about Wicapifx.dll as you already found out. That is usually not a good sign. Leave the file in the chest for now.

My proposal is: download Malwarebytes Antimalware free version here.

Run the installation.
Start MBAM and make sure to update the definition within the GUI of MBAM.
Start a quickscan (sufficient enough, takes only a few minutes) and post the log here.

I'm afraid there may be some bad stuff on your system. But we'll see.

[rlc0503]

I did as you said and here is the results. That is amazing. I have never heard of a program like that. I assumed the anti virus got everything. The antimalware doctor crap is the original problem. I think it was from me going to a site trying to find cheats for robo defense on droid?? It was a few weeks ago like I said but I thought the AVAST got it all??

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6349

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

4/13/2011 4:19:14 AM
mbam-log-2011-04-13 (04-18-37).txt

Scan type: Quick scan
Objects scanned: 168176
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fgixigafekuteg (Trojan.Agent.U) -> Value: Fgixigafekuteg -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\k70ccreloc.exe (Trojan.FakeAlert) -> Value: k70ccreloc.exe -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
c:\Users\Owner\AppData\Roaming\microsoft\Windows\start menu\Programs\antimalware doctor (Rogue.AntiMalwareDoctor) -> No action taken.

Files Infected:
c:\Users\Owner\AppData\Roaming\microsoft\Windows\start menu\antimalware doctor.lnk (Rogue.AntimalwareDoctor) -> No action taken.
c:\Users\Owner\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\antimalware doctor.lnk (Rogue.AntiMalwareDoctor) -> No action taken.
c:\Users\Owner\AppData\Local\Temp\0.19674722990225746.exe (Trojan.Dropper) -> No action taken.
c:\Users\Owner\AppData\Roaming\microsoft\Windows\start menu\Programs\antimalware doctor\antimalware doctor.lnk (Rogue.AntiMalwareDoctor) -> No action taken.
c:\Users\Owner\AppData\Roaming\microsoft\Windows\start menu\Programs\antimalware doctor\uninstall.lnk (Rogue.AntiMalwareDoctor) -> No action taken.

[rlc0503]

Do I continue with removal?

[Zyndstoff (aka Steven Gail)]

Okay, just as I suspected.
 

Let's see: run the MBAM scan again and have MBAM delete what it finds.

In the log you will then see instead of "no action taken" the term "deleted and quarantined successfully" (at least I hope so)

Post log again, please.

BTW: no AV program is a 100% secure thing, sadly.

[rlc0503]

Here it is. All folders and files quarantined and deleted successfully. THank you. Where does this leave me as far as my system being clean or not?

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6349

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

4/13/2011 4:30:32 AM
mbam-log-2011-04-13 (04-30-32).txt

Scan type: Quick scan
Objects scanned: 168191
Time elapsed: 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fgixigafekuteg (Trojan.Agent.U) -> Value: Fgixigafekuteg -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\k70ccreloc.exe (Trojan.FakeAlert) -> Value: k70ccreloc.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
c:\Users\Owner\AppData\Roaming\microsoft\Windows\start menu\Programs\antimalware doctor (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\Owner\AppData\Roaming\microsoft\Windows\start menu\antimalware doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\antimalware doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\0.19674722990225746.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Roaming\microsoft\Windows\start menu\Programs\antimalware doctor\antimalware doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Roaming\microsoft\Windows\start menu\Programs\antimalware doctor\uninstall.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.

[Zyndstoff (aka Steven Gail)]

Okay, just to have fun:

Run the scan once more. The log should be clean now.

Please respond again.

[rlc0503]

Thank you again. I really appreciate your help.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6349

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

4/13/2011 4:51:22 AM
mbam-log-2011-04-13 (04-51-22).txt

Scan type: Quick scan
Objects scanned: 168115
Time elapsed: 2 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Zyndstoff (aka Steven Gail)]

Okay, this does look good, doesn't it? 

Anyway, it is not a bad idea to do an Avast scan also, maybe a quick scan for now.
Reboot, to see if it's working. If so, you can delete the file in the chest.

Please come back after reboot and give me an update whether problem solved or not. Thx.